Trust & Security · HB Services

Trust & security

Built carefully. Documented honestly.

Plain English on how we protect your site, your data, and your identity. No marketing acrobatics.

Encryption at rest

Application data is stored in Neon Postgres (US-East), AES-256-GCM enveloped via pgcrypto with per-row data-encryption keys. The key-encryption key sits in Cloudflare Secrets Store and rotates quarterly via an automated workflow.

Encryption in transit

Every connection is TLS 1.3 with HSTS preload. Internal calls between the Worker and the assistant agent traverse a Cloudflare Tunnel gated by service-token authentication.

Modern authentication

Email + password (8+ characters, bcrypt-hashed), Google + Microsoft OAuth, magic links, and passkeys. Two-factor (TOTP) is available for any account; required for operator-level access.

Bot & abuse defense

Cloudflare Turnstile guards sign-up, sign-in, and password reset. Rate limits cap brute-force attempts. Suspicious sign-ins trigger an email alert.

Backups, verified daily

Daily Neon snapshots restored to a clean branch each night by an automated workflow. Weekly snapshots retained for 26 weeks. Restore-to-point is one click in the portal.

Quarterly key rotation

The key-encryption key rotates every 90 days. All active data-encryption keys are re-wrapped without downtime. Audit log captures every rotation event.

Auditable by design

Every privileged action — sign-in, password change, MFA enrollment, redesign approval, billing event — writes to an append-only audit log scoped to your org. Exportable as CSV.

Reporting a vulnerability

Found something? Tell us.

We treat security disclosures with respect. We don't lawyer up, we don't blame the messenger.

Security contact

security@hbservices.net

Replies within one business day. Acknowledgement within 24 hours, even on weekends, for confirmed user-impacting issues.

View security.txt →

Disclosure policy

Coordinated disclosure.We’ll fix and verify within 90 days, sooner where possible. We ask researchers to hold public disclosure until a fix is shipped.
Safe harbor.Good-faith research that doesn’t exfiltrate customer data, degrade service, or violate privacy is welcome — we won’t pursue legal action.
Acknowledgements. With your permission, we publicly credit researchers in our changelog after the issue is fixed.
No bounty (yet).We’re a small operation. We can’t pay cash bounties yet, but we’ll send a thank-you note and a year of free service for material findings.

Common questions

Plain answers.

Where does my data live?
Application data: Neon Postgres in US-East-2 (Ohio). Static assets and screenshots: Cloudflare R2. Edge cache and DNS: Cloudflare global. We don't replicate data outside the US.
Are you SOC 2 / ISO 27001 / HIPAA compliant?
Not yet. The infrastructure is built to those standards (encryption, audit, RBAC, MFA, backups) but we haven't completed a formal audit. Once we cross ~50 active clients we'll begin a SOC 2 Type II.
What about GDPR / CCPA?
We sign DPAs on request. We retain only what's required to run the service. You can export or delete your data any time from your settings page or by emailing legal@hbservices.net.
Do you sell or share data?
Never. We have no third-party advertising, no data brokers, no analytics that profile individuals. Internal analytics (PostHog) are limited to product usage and respect opt-out.
How are payments handled?
Stripe processes all payments. Card numbers never touch our servers — Stripe Elements tokenize on the client. We store a customer ID and a card brand/last-four for receipts.
What's your incident response process?
Anomaly → automated paging → triage → customer notification within 24 hours of confirmed user-impacting incident. Post-mortem published within 7 days. Disclosures via your portal and the status page.

More to ask? security@hbservices.net or book a consultation.

Trust & security

Built carefully. Documented honestly.

Plain English on how we protect your site, your data, and your identity. No marketing acrobatics.

Encryption at rest

Encryption in transit

Every connection is TLS 1.3 with HSTS preload. Internal calls between the Worker and the assistant agent traverse a Cloudflare Tunnel gated by service-token authentication.

Modern authentication

Email + password (8+ characters, bcrypt-hashed), Google + Microsoft OAuth, magic links, and passkeys. Two-factor (TOTP) is available for any account; required for operator-level access.

Bot & abuse defense

Cloudflare Turnstile guards sign-up, sign-in, and password reset. Rate limits cap brute-force attempts. Suspicious sign-ins trigger an email alert.

Backups, verified daily

Daily Neon snapshots restored to a clean branch each night by an automated workflow. Weekly snapshots retained for 26 weeks. Restore-to-point is one click in the portal.

Quarterly key rotation

The key-encryption key rotates every 90 days. All active data-encryption keys are re-wrapped without downtime. Audit log captures every rotation event.

Auditable by design

Every privileged action — sign-in, password change, MFA enrollment, redesign approval, billing event — writes to an append-only audit log scoped to your org. Exportable as CSV.

Reporting a vulnerability

Found something? Tell us.

We treat security disclosures with respect. We don't lawyer up, we don't blame the messenger.

Security contact

security@hbservices.net

Replies within one business day. Acknowledgement within 24 hours, even on weekends, for confirmed user-impacting issues.

View security.txt →

Disclosure policy

Coordinated disclosure.We’ll fix and verify within 90 days, sooner where possible. We ask researchers to hold public disclosure until a fix is shipped.
Safe harbor.Good-faith research that doesn’t exfiltrate customer data, degrade service, or violate privacy is welcome — we won’t pursue legal action.
Acknowledgements. With your permission, we publicly credit researchers in our changelog after the issue is fixed.
No bounty (yet).We’re a small operation. We can’t pay cash bounties yet, but we’ll send a thank-you note and a year of free service for material findings.

Common questions

Plain answers.

Where does my data live?
Application data: Neon Postgres in US-East-2 (Ohio). Static assets and screenshots: Cloudflare R2. Edge cache and DNS: Cloudflare global. We don't replicate data outside the US.
Are you SOC 2 / ISO 27001 / HIPAA compliant?
Not yet. The infrastructure is built to those standards (encryption, audit, RBAC, MFA, backups) but we haven't completed a formal audit. Once we cross ~50 active clients we'll begin a SOC 2 Type II.
What about GDPR / CCPA?
We sign DPAs on request. We retain only what's required to run the service. You can export or delete your data any time from your settings page or by emailing legal@hbservices.net.
Do you sell or share data?
Never. We have no third-party advertising, no data brokers, no analytics that profile individuals. Internal analytics (PostHog) are limited to product usage and respect opt-out.
How are payments handled?
Stripe processes all payments. Card numbers never touch our servers — Stripe Elements tokenize on the client. We store a customer ID and a card brand/last-four for receipts.
What's your incident response process?
Anomaly → automated paging → triage → customer notification within 24 hours of confirmed user-impacting incident. Post-mortem published within 7 days. Disclosures via your portal and the status page.

More to ask? security@hbservices.net or book a consultation.

Encryption at rest

Encryption in transit

Modern authentication

Bot & abuse defense

Backups, verified daily

Quarterly key rotation

Auditable by design

Disclosure policy

Where does my data live?

Are you SOC 2 / ISO 27001 / HIPAA compliant?

What about GDPR / CCPA?

Do you sell or share data?

How are payments handled?

What's your incident response process?

Encryption at rest

Encryption in transit

Modern authentication

Bot & abuse defense

Backups, verified daily

Quarterly key rotation

Auditable by design

Disclosure policy

Where does my data live?

Are you SOC 2 / ISO 27001 / HIPAA compliant?

What about GDPR / CCPA?

Do you sell or share data?

How are payments handled?

What's your incident response process?